Sandworm Team

Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009.[1][2][3][4]

ID: G0034
Associated Groups: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR
Version: 1.0
Created: 31 May 2017
Last Modified: 04 July 2020

Associated Group Descriptions

Name Description
ELECTRUM [18]
Telebots [4]
IRON VIKING [17]
BlackEnergy (Group) [4]
Quedagh Based on similarities between TTPs, malware, and targeting, Sandworm Team and Quedagh appear to refer to the same group. [1] [14]
VOODOO BEAR [2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[6]

.003 Account Discovery: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[10]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[6]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.[12][6][11]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[6]

Enterprise T1485 Data Destruction

Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. [7][11]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[6]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[6][10]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[7][11]

Enterprise T1041 Exfiltration Over C2 Channel

Sandworm Team has sent system information to its C2 server using HTTP.[6]

Enterprise T1203 Exploitation for Client Execution

Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[5][8][9]

Enterprise T1133 External Remote Services

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[12][11]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[6][10]

Enterprise T1105 Ingress Tool Transfer

Sandworm Team's Python backdoor can push additional malicious tools to an infected system.[6]

Enterprise T1056 .001 Input Capture: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[6]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[6]

Enterprise T1040 Network Sniffing

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[6]

Enterprise T1571 Non-Standard Port

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[12]

Enterprise T1027 Obfuscated Files or Information

Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[5][6]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.[6][11]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.[5][7][6]

Enterprise T1090 Proxy

Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[6]

Enterprise T1219 Remote Access Software

Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.[7]

Enterprise T1018 Remote System Discovery

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[6]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[10]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[13][11]

Enterprise T1082 System Information Discovery

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[10]

Enterprise T1016 System Network Configuration Discovery

Sandworm Team used malware to enumerate proxy settings from the M.E.Doc application.[10]

Enterprise T1204 .002 User Execution: Malicious File

Sandworm Team has delivered spearphishing attachments with malicious macros embedded within files.[6]

Enterprise T1078 Valid Accounts

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[7]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[6][11]

Software

ID Name References Techniques
S0089 BlackEnergy

[1][14]

Abuse Elevation Control Mechanism: Bypass User Access Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Fallback Channels, File and Directory Discovery, Hijack Execution Flow: Services File Permissions Weakness, Indicator Removal on Host: Clear Windows Event Logs, Input Capture: Keylogging, Network Service Scanning, Peripheral Device Discovery, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Credentials In Files, Windows Management Instrumentation
S0401 Exaramel for Linux

[15]

Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Systemd Service, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Cron
S0343 Exaramel for Windows

[15]

Archive Collected Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Masquerading: Masquerade Task or Service, Modify Registry
S0368 NotPetya

[4]

Data Encrypted for Impact, Exploitation of Remote Services, Indicator Removal on Host: Clear Windows Event Logs, Masquerading: Rename System Utilities, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, System Services: Service Execution, System Shutdown/Reboot, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0365 Olympic Destroyer

[16][17]

Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Indicator Removal on Host: Clear Windows Event Logs, Inhibit System Recovery, Lateral Tool Transfer, Network Share Discovery, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Service Stop, System Network Configuration Discovery, System Services: Service Execution, System Shutdown/Reboot, Windows Management Instrumentation

References